If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Finding hosts on subnet using nmap.

When I'm at a client's network sometimes I have the task of trying to find active hosts within the network. Lately I've been using the ping sweep command for NMAP and saving my results to a file, like so:

nmap -oN activehosts.txt -vv -sP 192.168.0.0/24

However the thought occurred to me "what if a client is blocking ICMP pings"? That might be the case, at which point that client PC would be "hidden" from my sweep. So what's the best most efficient way to hunt for active clients on a network, preferably using nmap?

What type of environment is it, windows? unix? mixed? If it is a windows environment and using active directories and dynamic dns you could do a reverse lookup on the entire class. Some computers may still show up in dns when in fact it no longer is on the network, but it will decay off with time.

Another thing you could do is not use the -sP and just look for active ports on the IP's. If a computer is not allowing ICMP when using nmap and it can not ping it, I believe nmap detects it as down, so use the -P0.

I'm sure there are many other ways of detecting, such as getting on a spanning port and do passive sniffing, this is just off the cuff, hope it helps some.

There are two rules for success in life:
Rule 1: Don't tell people everything you know.

This is a problem that will get worse and worse as XP SP2 and subsequent systems are implemented.... It's a Catch22... You either keep the firewalls up which means that you can't easily tell what's out there or you drop them and let everyone see everything you have... Outside that the administration of the firewalls becomes a very time consuming task.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Originally posted here by Opus00 What type of environment is it, windows? unix? mixed? If it is a windows environment and using active directories and dynamic dns you could do a reverse lookup on the entire class. Some computers may still show up in dns when in fact it no longer is on the network, but it will decay off with time.

Another thing you could do is not use the -sP and just look for active ports on the IP's. If a computer is not allowing ICMP when using nmap and it can not ping it, I believe nmap detects it as down, so use the -P0.

I'm sure there are many other ways of detecting, such as getting on a spanning port and do passive sniffing, this is just off the cuff, hope it helps some.

There will be some sniffing in promiscuous mode. However I was curious if there was a quick and easy way to scan for hosts on the network.

It sounds like in your second paragraph you are recommending I use this command instead:

nmap -oN activehosts.txt -vv -P0 192.168.0.0/24

Are you saying that this will not ping the hosts but instead scan for active ports on all the hosts in a subnet? Which ports does it interrogate? All 65k? Does it do so randomly (more of a curiousity)? Does it prefer any type of stealth scanning with this option? Thanks for the help.

But... If a client has a firewall running you probably won't detect anything.. The firewall will block any and all incoming connections.. So this probably will not help you..

Are the tutorials you speak of on the main site or on the forum (via searching)? Also, while I recognize that most firewalls won't respond to most stealth scans, what about firewalking techniques (using non-RFC compliant packets)? Are those still popular?

If there is a firewall and the response comes back with filtered or closed, that could still be an indication the computer may exists (host based firewalls). Most the time if you try certain protocols on certain ports you will receive "host/network unreachable" which is a better indication the computer doesn't exist.

If you are trying to determine if a host exists, the interpetation of the returning information is still useful. Lets say you try and contact a host and it returns "network unreachable" it's a good chance no other hosts exist on that network. If you get "host unreachable" then you know the network exists but the host may not. Now if you get "port unreachable" you know the host and network both exists, just no service is listening on that port.

Make sense?

[edit]
From the nmap man page:
"The result of running nmap is usually a list of interesting ports on the machine(s) being scanned (if any). Nmap always gives the port's "well known" service name (if any), number, state, and protocol. The state is either "open", "filtered", or "unfiltered". Open means that the target machine will accept() connections on that port. Filtered means that a firewall, filter, or other network obstacle is covering the port and preventing nmap from determining whether the port is open. Unfiltered means that the port is known by nmap to be closed and no firewall/filter seems to be interfering with nmap's attempts to determine this. Unfiltered ports are the common case and are only shown when most of the scanned ports are in the filtered state."
[/edit]

There are two rules for success in life:
Rule 1: Don't tell people everything you know.

Err... Actually, without the response to NMap's ping which would cause NMap to drop the attempt since the host would appear down, a properly firewalled machine with no services running would appear to be down too because nothing would be returned by the firewall, (no RST's or anything), which is exactly the same as a machine that doesn't exist or is switched off...

So NMap becomes questionable at best for the OP's purposes as firewall become more the norm than the exception... It's actually very hard to properly determine exactly what machines are sat on a network nowadays.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Tiger, I can't argue your point nor will I, I totally agree, what I was trying to show is how you can use information saying something doesn't exist in a way to show it does exist, nmap its self doesn't give the ICMP replies that I used in my examples.

nmap is especially difficult to use when used against a perimeter firewall, since it is a single host at all times.

I was assuming that rogueactivex was inside the firewall since he stated:

I have the task of trying to find active hosts within the network

The school of thought is definitely changing due to software firewalls as you stated with XP

This is a problem that will get worse and worse as XP SP2 and subsequent systems are implemented

My whole point (apparently poorly stated) was to show how to glean information from the lack of information. It was just a concept and trying to pass it on to someone with question.

There are two rules for success in life:
Rule 1: Don't tell people everything you know.